VYPR

apk package

chainguard/jitsucom-jitsu-rotor

pkg:apk/chainguard/jitsucom-jitsu-rotor

Vulnerabilities (40)

  • CVE-2026-2229Mar 12, 2026
    affected < 2.11.0-r17fixed 2.11.0-r17

    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d

  • CVE-2026-1528Mar 12, 2026
    affected < 2.11.0-r17fixed 2.11.0-r17

    ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version

  • CVE-2026-1527Mar 12, 2026
    affected < 2.11.0-r17fixed 2.11.0-r17

    ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem

  • CVE-2026-2581Mar 12, 2026
    affected < 2.11.0-r17fixed 2.11.0-r17

    This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler

  • CVE-2026-1526Mar 12, 2026
    affected < 2.11.0-r17fixed 2.11.0-r17

    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en

  • CVE-2026-1525Mar 12, 2026
    affected < 2.11.0-r17fixed 2.11.0-r17

    Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *

  • CVE-2026-22036Jan 14, 2026
    affected < 2.11.0-r12fixed 2.11.0-r12

    Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocatio

  • CVE-2025-14874Dec 18, 2025
    affected < 2.11.0-r8fixed 2.11.0-r8

    A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

  • CVE-2025-65945Dec 4, 2025
    affected < 2.11.0-r10fixed 2.11.0-r10

    auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us

  • CVE-2025-66030Nov 26, 2025
    affected < 2.11.0-r8fixed 2.11.0-r8

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.

  • CVE-2025-66031Nov 26, 2025
    affected < 2.11.0-r8fixed 2.11.0-r8

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re

  • CVE-2025-12816Nov 25, 2025
    affected < 2.11.0-r8fixed 2.11.0-r8

    An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s

  • CVE-2025-13033HigNov 14, 2025
    affected < 2.11.0-r4fixed 2.11.0-r4

    A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m

  • CVE-2025-64718Nov 13, 2025
    affected < 2.11.0-r7fixed 2.11.0-r7

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2025-58754Sep 12, 2025
    affected < 2.11.0-r2fixed 2.11.0-r2

    Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire

  • CVE-2025-9910MedSep 11, 2025
    affected < 2.11.0-r3fixed 2.11.0-r3

    Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and th

  • CVE-2025-57752Aug 29, 2025
    affected < 2.11.0-r1fixed 2.11.0-r1

    Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such

  • CVE-2025-55173Aug 29, 2025
    affected < 2.11.0-r1fixed 2.11.0-r1

    Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file download

  • CVE-2025-57822Aug 29, 2025
    affected < 2.11.0-r1fixed 2.11.0-r1

    Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. Thi

  • CVE-2025-7783CriJul 18, 2025
    affected < 2.10.0-r4fixed 2.10.0-r4

    Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

Page 1 of 2